Exam PCNSA topic 1 question 160 discussion

The given answer D is correct - my previous answers are wrong. There's 2 policies at play here - the security and NAT policy. I thought the question related to the NAT policy - it doesn't - it asks about the security policy.

D is correct

I believe the answer here is B, as the NAT is done on the untrusted side therefore the security policy has to untrusted (any) to untrusted (DNAT), within the NAT configuration the real address would be mapped and so would the DMZ zone.

Pre IP > post zone for incoming traffic

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping#ide8f6a4b3-f875-4855-acb5-5fd9ad918d04

Answer is D: Zone: After NAT Address: Before NAT

Answer is D "It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones". https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview#:~:text=It%20then%20evaluates%20and%20applies%20any%20security%20policies%20that%20match%20the%20packet%20based%20on%20the%20original%20(pre%2DNAT)%20source%20and%20destination%20addresses%2C%20but%20the%20post%2DNAT%20zones

As @Surfside92 mentioned, according to CBT Nuggets video (watched the same) answer should be B. However, @ntir shared the link which shows literally this situation. I would go with D because it's from PA site.

D https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping#ide8f6a4b3-f875-4855-acb5-5fd9ad918d04

answer D

the key in this question is Security policy rule, the traffic will flow through the firewall within two rules, Nat rule policy+Security rule policy.

Must be A. You create the rule to the internal ip.

I've labbed this using a cbtnuggets video. Within the rule you specify the dmz server global ip address and actual local address